How Bug Bounty and Attack Surface Management can help you comply with the Digital Operational Resilience Act’s upcoming requirements
November 16, 2023
Financial services firms in the EU are scrambling to comply with a wide-ranging cybersecurity regulation that comes into force in just 14 months’ time.
Organisations can accelerate their progress down the path to compliance with the Digital Operational Resilience Act (DORA) by leveraging attack surface management and crowdsourced security testing.
What is DORA?
DORA aims to bolster the financial service sector’s information and communications technology (ICT) capabilities across five pillars: risk management, incident reporting, operational resilience testing, third-party risk monitoring and information sharing.
The regulation reflects concern in Brussels about the industry’s growing, increasingly complex attack surfaces – and the repercussions serious incidents could have not just across the sector, but for the wider economy too.
These fears are understandable. The financial sector is surpassed only by manufacturing in terms of its share of worldwide cyber-attacks, while the increasingly fraught geopolitical situation is only further heightening risks.
Violations could attract fines of up to 2% of an organisation’s annual worldwide turnover or, for individuals found liable, a maximum fine of €1 million.
As well as improving incident response and recovery, the regulatory framework obliges organisations to be more proactive in identifying and locking down the vectors that enable cyber-attacks.
To this end, DORA mandates new minimum levels of security testing that traditional approaches to finding ICT vulnerabilities may be ill-equipped to fulfil – especially given DORA’s 24-month implementation period. From banks to insurance companies and asset management firms, financial entities of all kinds must be compliant by 17 January, 2025.
The YesWeHack platform, which combines Bug Bounty, Vulnerability Disclosure Policy, Pentest Management and Attack Surface Management solutions, can help organisations cost-effectively fulfil these daunting new obligations by continuously tracking their proliferating online assets and subjecting them to rigorous security testing.
Threat-led penetration testing
DORA requires that financial firms identify and remediate digital weaknesses and vulnerabilities. To this end, they must conduct annual security testing programs for ICT tools and systems as well as ‘threat-led penetration testing’ (TLPT) at least every three years for ICT services affecting critical functions (including those provided by third-party providers). At least one of every three TLPT engagements must be undertaken externally.
TLPT is described by DORA as “a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems.”
Fulfilling this obligation needn’t – as many CISOs might assume – rely solely on traditional pentesting or red teaming approaches. After all, DORA’s demands for proactive, continuous risk identification is at odds with the time-boxed nature of conventional pentest engagements.
By contrast, Bug Bounty Programs typically offer organisations continuous and flexible access to the multifarious skills of tens of thousands of ‘ethical’ hackers.
Cut costs on your way to compliance
DORA harmonises regulations that currently diverge between member states, and prioritises operational resilience following post-financial crash reforms that focused on financial resilience.
And if harmonisation promises to simplify and reduce the cost of compliance in an inherently cross-border sector, then a unified offensive security strategy can also simultaneously simplify and lower the cost of fulfilling the new security obligations.
YesWeHack’s Bug Bounty service is, for instance, priced by results – organisations pay only for valid, actionable bugs, with ‘bounties’ determined by a bug’s severity.
The YesWeHack platform as a whole, meanwhile, “allows simple, unified processing and remediation of vulnerabilities reported from various sources, whether Bug Bounty, internal or external pentests, or Vulnerability Disclosure Policies (VDPs),” says Aïmad Berady, VP Product at YesWeHack. “This ease of management simplifies internal procedures for analysing, prioritising and remediating discovered vulnerabilities.”
Rapidly launched and quickly scalable, Bug Bounty Programs are also well placed to accommodate DORA’s demands for a rapid increase in cyber capacities in the context of a global cyber skills shortage. These advantages are a particular boon for organisations with countless ICT providers to audit or medium-sized entities that were hitherto exempt from the patchwork of rules that DORA replaces.
“Our experts can be mobilised in a very short time,” saysBerady. “Bug hunters are also capable of discovering zero-day [previously unknown] vulnerabilities that allow malicious hackers to penetrate quickly while remaining under the radar of detection systems, with a very low number of exploitation attempts,” he adds.
Indeed, in a recent report Akamai said a 65% year-on-year jump in web and API attacks against the financial services industry was fuelled by “cybercriminal groups’ active pursuit of zero-day and one-day vulnerabilities as pathways for initial intrusion”.
Tristan Lewitte, Customer Success Manager at YesWeHack, points out that bug hunters also have more time “to study the scope and its defenses, bypass security tools and explain how they did it. And the sheer volume of activity alone gives better insights than a pentest,” he adds.
Real-time visibility of a Bug Bounty Program’s ‘hacktivity’ via YesWeHack’s Vulnerability Center is also a “perfect tool for fulfilling DORA requirements around testing and finetuning policies, processes and security tools, and monitoring, prevention and detection capacities, as well as training security teams and developers,” says Lewitte.
DORA prescribes stringent data security requirements for processing highly sensitive TLPT findings. As such, it’s wise for financial entities to choose a Bug Bounty platform with robust mechanisms around confidentiality and information integrity (YesWeHack demonstrates these capabilities through ISO 27001 and ISO 27017 certifications). A secure, encrypted channel for communicating with vulnerability researchers is a must too.
Contrary to prevalent misconceptions, Bug Bounty platforms can help organisations certify compliance and share vulnerability information with relevant authorities, thanks to interactive dashboards and one-click generation of proofs of audit and exportable executive summaries.
Many organisations already use Bug Bounty programs to demonstrate compliance with ISO 27001, whose risk-based prescriptions for continuous testing provide an invaluable springboard for DORA compliance.
DORA’s risk management framework, meanwhile, requires that organisations identify, classify and document ICT assets. They must also continuously monitor exposure to cyber threats and vulnerabilities.
This is where Attack Surface Management (ASM) comes in. YesWeHack’s newly launched ASM platform gives InfoSec teams a real-time, comprehensive picture of their online assets and exposure to known vulnerabilities, as well as automated, risk-based prioritisation of those bugs.
Given the complexity of mapping let alone securing ballooning attack surfaces, it’s little wonder that Gartner has cited continuous attack surface management as a top strategic technology trend for 2024.